Hundreds of Scam Apps Hit Over 10 Million Android Devices

Google has taken increasingly sophisticated steps to keep malicious apps out of Google Play. But a new round of takedowns involving about 200 apps and more than 10 million potential victims shows that this longtime problem remains far from solved—and in this case, potentially cost users hundreds of millions of dollars. 

Researchers from the mobile security firm Zimperium say the massive scamming campaign has plagued Android since November 2020. As is often the case, the attackers were able to sneak benign-looking apps like “Handy Translator Pro,” “Heart Rate and Pulse Tracker,” and “Bus – Metrolis 2021” into Google Play as fronts for something more sinister. After downloading one of the malicious apps, a victim would receive a flood of notifications, five an hour, that prompted them to “confirm” their phone number to claim a prize. The “prize” claim page loaded through an in-app browser, a common technique for keeping malicious indicators out of the code of the app itself. Once a user entered their digits, the attackers signed them up for a monthly recurring charge of about $42 through the premium SMS services feature of wireless bills. It’s a mechanism that normally lets you pay for digital services or, say, send money to a charity via text message. In this case, it went directly to crooks.

The techniques are common in malicious Play Store apps, and premium SMS fraud in particular is a notorious issue. But the researchers say it’s significant that attackers were able to string these known approaches together in a way that was still extremely effective—and in staggering numbers—even as Google has continuously improved its Android security and Play Store defenses.

“This is impressive delivery in terms of scale,” says Richard Melick, Zimperium’s director of product strategy for end-point security. “They pushed out the full gauntlet of techniques across all categories; these methods are refined and proven. And it’s really a carpet-bombing effect when it comes to the quantity of apps. One might be successful, another might not be, and that’s fine.”

The operation targeted Android users in more than 70 countries and specifically checked their IP addresses to get a sense of their geographic regions. The app would show webpages in that location’s primary language to make the experience more compelling. The malware operators took care not to reuse URLs, which can make it easier for security researchers to track them. And the content the attackers generated was high quality, without the typos and grammatical errors that can give away more obvious scams.

Zimperium is a member of Google’s App Defense Alliance, a coalition of third-party companies that help keep tabs on Play Store malware, and the company disclosed the so-called GriftHorse campaign as part of that collaboration. Google says that all of the apps Zimperium identified have been removed from the Play Store and the corresponding app developers have been banned.

The researchers point out, though, that the apps—many of which had hundreds of thousands of downloads—are still available through third-party app stores. They note also that while premium SMS fraud is an old chestnut, it’s still effective because the malicious charges typically don’t show up until a victim’s next wireless bill. If attackers can get their apps onto enterprise devices, they can even potentially trick employees of large corporations into signing up for charges that could go unnoticed for years on a company phone number.

Though taking down so many apps will slow the GriftHorse campaign for now, the researchers emphasize that new variations always crop up.

“These attackers are organized and professional. They set this up as a business, and they’re not just going to move on,” says Shridhar Mittal, Zimperium’s CEO. “I’m certain this was not a one-time thing.”


More Great WIRED Stories

Note: This article have been indexed to our site. We do not claim ownership or copyright of any of the content above. To see the article at original source Click Here

Related Posts
Inadvertently 20 years of Xbox released a commemorative version of the handheld headset thumbnail

Inadvertently 20 years of Xbox released a commemorative version of the handheld headset

原來不經不覺 Xbox 已經推出了 20 年, 11 月 15 日就是 Xbox 20 歲生日。 Microsoft 就宣布當日會推出 20 周年紀念版遊戲控制器和立體聲耳機,而 Razer 亦會推出配合的 20 周年紀念通用快速充電器。 Xbox 無線控制器 – 20 週年特別版用上透明黑色配銀色內部,讓玩家看清楚內部結構。 兩款紀念版產品都是以透明黑色機身配上醒目且具標誌性的 Xbox 綠色。「 Xbox 無線控制器 – 20 週年特別版」採用與 Xbox Series X|S 新版無線手掣相同的設計,透明黑色外殻配上銀色的內部,讓玩家可以清楚看到它的內部構造。而手掣中間的 Xbox 掣就用上元祖 Xbox 的綠色標誌。手把底部和方向掣內部亦用上 Xbox 綠色。 Xbox Logo 、十字掣內部和手把底部都用上 Xbox 特色的綠色,整體看起來讓人有當年元祖 Xbox 測試機的感覺。 這款紀念版手掣一樣可透過 Xbox 無線配接器或者藍牙連接,適用於 Xbox Series…
Read More
More pictures can show Samsung Galaxy S22 Ultra thumbnail

More pictures can show Samsung Galaxy S22 Ultra

Inom de kommande månaderna kommer Samsung troligtvis hålla ett event där tillverkaren kommer visa upp nya S22 – serien. Nu har det inkommit nya uppgifter om serien. Vi ser att Samsung kal komma att satsa på en mer fyrkantig form när det kommer till Galaxy S22 Ultra vilket jag förstå då det ryktas om att…
Read More
Digiday+ Research: More than one third of publishers expect to run experiential activations for advertisers during the holiday season thumbnail

Digiday+ Research: More than one third of publishers expect to run experiential activations for advertisers during the holiday season

October 5, 2021 by Max Willens The holiday season is still nearly two months away, but publishers are already expecting a bigger, better haul of ad revenue than they got last year, thanks in part to the return of two emerging revenue streams, according to new Digiday+ Research. In September, Digiday polled 62 publishers about…
Read More

Normally for money, today for free or at a discount: Blocking notifications, organizing championships and cheerful vegetables

V aplikačních obchodech se pravidelně objevují slevy na aplikace a hry, s jejichž pomocí můžete ušetřit i stovky korun. Tentokrát zde najdete užitečné nástroje na blokování notifikací, automatické vypínání Wi-Fi, ale také možnost vytvořit si vlastní šampionát. Děti pak jistě ocení „veselou zeleninu“. Rapid Notifications Blocker PRO: Android, aktuálně 36 Kč, původně 70 Kč Photo Exif…
Read More
Practical, the new widget for Google Maps will delight frequent users thumbnail

Practical, the new widget for Google Maps will delight frequent users

Bislang hat Google Maps für Android leider nur fünf einzelne Widgets, die den Nutzer zu fünf verschiedenen Funktionen führen. Aber Google arbeitet an neuen Widgets, die demnächst wohl verfügbar werden sollen. Wie die ersten Empfänger der Neuerung bereits berichten konnten, hat Google ein neues großzügiges Suche-Widget für Maps entworfen. Google erweitert das Widget-Angebot seiner Android-Apps…
Read More
Index Of News
Total
0
Share